Ask HN: I can't tell why my site is showing malware warning.

Hi<p>I work at Google helping webmasters. Hopefully there won't be a next time, but for reference, your best bet is to post in our forum specifically about this type of issue: <a href="http://www.google.com/support/forum/p/Webmasters/label?lid=2fe2a8ee8e37c08e&#38;hl=en" rel="nofollow">http://www.google.com/support/forum/p/Webmasters/label?lid=2...</a><p>For your specific case, unfortunately it can be anything. Start at the HTML and JS and see if it's different in ways you don't expect. Check for obfuscation techniques like base64 encoded PHP code, or JS code in libraries that is not in the original distribution. It really can be anything. Also check your .htaccess, any CMS and its plugins, etc. Really check everything.<p>That should identify the issue. Once you do, fix it, and try to understand why it happened. Was your FTP password compromised? Was it a known vulnerability in your CMS? Was it a rogue plugin you installed by mistake? Identifying the attack vector is very important as you will need to close it too. Otherwise all your hard work fixing the site will be undone in no time.<p>Also be sure to check any other parts of your site: the attacker might have entered through one CMS (say a forum) and compromised another (say a blog).<p>That's basically a summary of what you need to be doing. We have a very detailed guide about dealing with hacked sites: <a href="http://www.google.com/support/webmasters/bin/answer.py?answer=163634" rel="nofollow">http://www.google.com/support/webmasters/bin/answer.py?answe...</a> . It recommends quarantining the site and returning HTTP 503. That's a very good first step.<p>And if you need more help, seriously, the forum I linked to above has a great community that knows a lot about identifying and fixing these issues.<p>Hope this helps, Pierre

Peldi, something similar to this happened to me for a number of years (I've run my own WP site for 6 years now); every 3 months or so, no matter what I did to lock the site down it would get reinfected with malware.<p>It got so frustrating that I toyed with just taking the site down permanently a few times because I couldn't handle the maintenance burden psychologically (it was such a downer to be fighting the same fight every few months for 2 years).<p>BUT, I finally found out what had happened, apparently there are some f-ing ingenious ways people can hide hacks in your WordPress site.<p>I outlined all of my steps here: <a href="http://www.thebuzzmedia.com/finding-and-removing-hidden-wordpress-hacks/" rel="nofollow">http://www.thebuzzmedia.com/finding-and-removing-hidden-word...</a><p>The basic trick boils down to uploading a fake HTML or image file that is actually a PHP script that hides in your server folder and is executed by the running process every few weeks which then infects all the other files (adding in JS headers or footers to every template file).<p><i>Another</i> nasty trick is to use the same mis-named file uploaded into your /uploads directly, but to register it as one of your WordPress plugins. So if you search the WP database plugin table for non-PHP extensions you might find a "plugin" registered as "/uploads/2011/06/profile.jpg" when in reality it is a PHP file and not an image that WordPress is executing.<p>The blog post outlines how to find and remove them, I'd also recommend against running WordPress with permissions that don't allow <i>writing</i> except for the /uploads directory.<p>This means no more automatic updates inside of WordPress, you'll have to do them yourself (same for plugins) but it also means no more hacks getting through and writing themselves to your DB or file system. They can even upload themselves but then cannot effect the system in anyway because the executing process has no write perms.<p>It has just been a lot easier for me to run in that fashion and keep everything up to date manually.<p>Hope that helps!

Sorry to hear that you got infected. You're getting good advice from pierrefar and others here, but here's one other tip: once you get your site back up, you can doublecheck that you're not infected by using the "Fetch as Googlebot" feature in Google's free webmaster console.<p>When you use Fetch as Googlebot, we actually send a crawler to your site, fetch the page you request, and then show you exactly what Googlebot saw. It's an extra way to tell if you've gotten rid of the hacked junk.

FWIW, I just visited your site and it contained some compressed JavaScript at the top and a broken link to http: // gsdgsd.freewww.biz/showthread.php?t=72881717 (slightly obfuscated to avoid accidential clicks). It was gone after a reload, so I can't give you any more information.

Chrome uses a bloom filter[1] to check a URL against a list of known malware sites. It's possible your URL, by coincidence, has become a false positive.<p>However the article also mentions that once found in the bloom hashes, Chrome checks in with HQ if the URL is malware or not, probably to avoid false positives. Maybe these servers are down, and Chrome by default marks all (false) positives as malware without checking with HQ.<p>Keep in mind that this is the web security's equivalent of saying "my program doesn't work because there's a bug a in the compiler", it should be pretty low on the probability list.<p>[1]: <a href="http://blog.alexyakunin.com/2010/03/nice-bloom-filter-application.html" rel="nofollow">http://blog.alexyakunin.com/2010/03/nice-bloom-filter-applic...</a>

The only part that is relevant to you is the last part:<p>"In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message."<p>So maybe you sourced some external javascript or advertising that contained something bad.<p>Edit: what does that obfuscated code at the top of the html do? <a href="http://pastebin.com/u3T3wJcG" rel="nofollow">http://pastebin.com/u3T3wJcG</a><p>Edit2: I think it's a bit irresponsible to post a page that has been marked as containing malware to a highly trafficked website. You could have at least run it through some alternative scanners first.

Hello everyone. Our site is back, clean and the malware warnings are gone. The guys at WPEngine.com dealt with this very quickly and professionally today, you should check them out.<p>I wrote a little status update here if you're interested: <a href="http://pastebin.com/V3jwaL1Q" rel="nofollow">http://pastebin.com/V3jwaL1Q</a><p>On one hand I feel bad for posting this and possibly infecting people as a result. On the other we now all have a wonderful collection of tips for securing Wordpress websites. This community is _truly_ valuable. Thanks all.<p>Peldi

Overwrite core WordPress files first. Run WordPress Exploit Scanner to root out anything in the database, and WordPress File Monitor as a tripwire going forward.<p><a href="http://wordpress.org/extend/plugins/exploit-scanner/" rel="nofollow">http://wordpress.org/extend/plugins/exploit-scanner/</a><p><a href="http://wordpress.org/extend/plugins/wordpress-file-monitor/" rel="nofollow">http://wordpress.org/extend/plugins/wordpress-file-monitor/</a><p>That's what I did when I had this same issue happen to me on my WP installs (yeah, the same hole infected other sites on the server). These plugins showed me what files on my server had be changed and where the offending code was.<p>How old is your WP install? The hole could actually be in a plugin you are using. That was the case with me.<p>Also, TimThumb.php was recently in the news as having a security hole in it.<p>For good measure, here is the Hardening Wordpress article from WP: <a href="http://codex.wordpress.org/Hardening_WordPress" rel="nofollow">http://codex.wordpress.org/Hardening_WordPress</a>

I used to see this type of problem at Google.<p>Your site may have been hacked. Check the site:balsamiq.com search for injected hacked pages. Check also for injected text being hidden by CSS, and try if you can to view your site through a proxy like HideMyAss, to see if they are showing you one version of the page and showing users a different one.<p>Also, if Google knows your site's hacked, there should be a message inside the Webmaster Tools account for balsamiq.com - check there for more information.

Co-founder of WordPress here -- since no one has mentioned it yet: I would highly recommend VaultPress, it's designed exactly to protect against this sort of thing.

Update: the site is cleaned up and back up, we're just waiting for Google review.

Do you run a Wordpress Blog? Is it up to date? There was a big "Hack" going around last month on the wordpress platform.

FWIW The sophos anti-virus I'm forced to use at work says this is the problem:<p><a href="http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/Mal~HTMLGen-A.aspx" rel="nofollow">http://www.sophos.com/en-us//threat-center/threat-analyses/v...</a><p>It's probably wrong though!

You could also use <a href="http://sitecheck.sucuri.net" rel="nofollow">http://sitecheck.sucuri.net</a> .<p>However, since the site is now disabled, it won't find anything...<p>*note that we see this type of malware on sites with vulnerable plugins or using that uploadify script.<p>thanks,

What we have been seeing that web-malware that appears intermittently, only appearing to certain browsers and not appearing twice in a row to the same browser/IP, is usually pushed in via a FTP credential compromise.<p>The code often resides in template file, in config files and/or sometimes is also put into the database.<p>We've seen a lot of these kind of "intermittent" malware through the recent timthumb attacks on WP sites:<a href="http://www.stopthehacker.com/2011/08/30/timthumb-malware/" rel="nofollow">http://www.stopthehacker.com/2011/08/30/timthumb-malware/</a><p>You've already got a lot of good information from the other responders, so I will not repeat the obvious, but great, points. Change password, check plugins..

Maldet is an awesome open-source linux program that searches a directory for malware <i>signatures</i>. <a href="http://www.rfxn.com/projects/linux-malware-detect/" rel="nofollow">http://www.rfxn.com/projects/linux-malware-detect/</a><p>I've used it dozens of times successfully, and with WordPress sites, it's usually a PHP backdoor uploaded into wp-content/uploads, and then compressed JS added into a file somewhere. Run it with -a.<p>Good luck!

Run this just in case (free) <a href="http://www.qualys.com/forms/trials/stopmalware/" rel="nofollow">http://www.qualys.com/forms/trials/stopmalware/</a>

Can you share what the nature of the malware was?<p>I've updated my Balsamiq Mockups desktop app at around 10 hrs ago and now am concerned whether malware might have tagged along.<p>If the site is clean now, should I get a fresh copy?

You should check out CodeGuard[1]. It is a great tool for issues just like this.<p>[1] <a href="https://www.codeguard.com/" rel="nofollow">https://www.codeguard.com/</a>

Also try masking your user agent as google bot. In the past i've seen people mask the results for google bots to build backlinks.

Rename your wp-admin. Its a known target.

You could run these commands on regular basis<p>grep -R "document.write(unescape" * &#62; js_malware.txt<p>grep -iR --include "<i>.php" "[a-zA-Z0-9\/\+]\{255,\}" </i> &#62; php_malware.txt<p>Once the commands complete, examine the .txt files and see if any files are compromised.